Twelve US states join for the first time to file multistate data breach lawsuit

ZDNet - Catalin Cimpanu for Zero Day

Lawsuit details a long list of security fails on MIE’s part.

Attorneys general from twelve US states have joined together to file the first-ever joint cross-state HIPAA lawsuit against a healthcare provider that got hacked in the summer of 2015.

The lawsuit, filed in an Indiana court on Monday, alleges that Medical Informatics Engineering and its subsidiary NoMoreClipboard –collectively known and doing business as MIE– had “failed to take adequate and reasonable measures to ensure their computer systems were protected.”

Because of their alleged failings, hackers gained access to MIE WebChart web app, from where they gained access and stole the personal details of 3.9 million US citizens who visited 11 healthcare providers and 44 radiology clinics that managed patient data via the WebChart app.

Stolen data included a treasure trove of personal information, such as names, phones, home addresses, dates of birth, Social Security numbers, email addresses, passwords, usernames, security questions, but also healthcare information such as lab results, diagnoses, medical conditions, disability codes, medical records, health insurance information, and even information on patients’ family members.

The vast majority of affected users were located in Indiana –over 1.5 million– but users in other states were also affected, to a lesser degree.

Now, almost three years after the hack, state attorneys general from twelve states have banded together to sue the healthcare provider for numerous failings under the provisions of the Health Insurance Portability and Accountability Act (HIPAA).

The states participating in the lawsuit are Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin.

According to a copy of the lawsuit, obtained by ZDNet, MIE officials had failed on several fronts when it came to implementing “basic industry-accepted data security measures.”

For example:

Defendants set up a generic “tester” account which could be accessed by using a shared password called “tester” and a second account called “testing” with a shared password of “testing”.

In addition to being easily guessed, these generic accounts did not require a unique user identification and password in order to gain remote access.

In a formal penetration test conducted by Digital Defense in January 2015, these accounts were identified as high risk, yet Defendants continued to employ the use of these accounts.

In fact, [MIE] acknowledged establishing the generic accounts at the request of one of its’ health care provider clients so that employees did not have to log-in with a unique user identification and password.

The “tester” account did not have privileged access but did allow the attacker to submit a continuous string of queries, known as a SQL injection attack, throughout the database as an authorized user.

The queries returned error messages that gave the intruder hints as to why the entry was incorrect, providing valuable insight into the database structure.

The vulnerability to an SQL injection attack was identified as a high risk during a penetration test performed by Digital Defense in 2014.

Digital Defense recommended that Defendant “take appropriate measures to implement the use of parameterized queries, or ensure the sanitization of user input.” Despite this recommendation, Defendants took no steps to remedy the vulnerability.

The intruder used information gained from the SQL error messages to access the “checkout” account, which had administrative privileges. The “checkout” account was used to access and exfiltrate more than 1.1 million patient records from Defendants’ databases.

The SQL error exploit was also used to obtain a second privileged account called “dcarlson”. The “dcarlson” account was used to access and exfiltrate more than 565,000 additional records.

On May 25, 2015, the attacker initiated a second method of attack by inserting malware called a “c99” cell on Defendants’ system. This malware caused a massive number of records to be extracted from Defendants’ databases. The huge document dump slowed down network performance to such an extent that it triggered a network alarm to the system administrator. The system administrator investigated the event and terminated the malware and data exfiltration on May 26, 2015.

Defendant’s post-breach response was inadequate and ineffective.

While the c99 attack was being investigated, the attacker continued to extract patient records on May 26 and May 28, using the privileged “checkout” credentials acquired through use of the SQL queries. On those two days, a total of 326,000 patient records were accessed.

The breach was not successfully contained until May 29, when a security contractor hired by Defendant identified suspicious IP addresses which led the contractor to uncover the principal SQL attack method.

Defendants failed to implement and maintain an active security monitoring and alert system to detect and alert on anomalous conditions such as data exfiltration, abnormal administrator activities, and remote system access by unfamiliar or foreign IP addresses.

The significance of the absence of these security tools cannot be overstated, as two of the IP addresses used to access Defendants’ databases originated from Germany. An active security operations system should have identified remote system access by an unfamiliar IP address and alerted a system administrator to investigate.

Now, citing all these alleged failings on MIE’s side, the twelve states are asking an Indiana court to grant relief and civil penalties for all affected victims.